We help IT Professionals succeed at work.

Active Directory issues main server failing

413 Views
Last Modified: 2014-05-25
currently have a network setup with the following servers

Computer name               OS
Server                                 Windows 2003 SBS
Data                                    Windows 2003 Std
Exchange                           Windows 2008 Std running exchange 2010

i have been migrating exchange from server to exchange servers as well as moving DHCP, DNS and active directory roles.
server (2003 SBS) is now hardware failing so i was hoping to get the server down and removed from the directory.

Currently having lots of issues with the active directory to the point were if Server is offline no computers can login even thought all roles have been moved to Exchange.

I have attached a dcdiag which was run on the exchange server.  looks to me like DNS entrys are wrong but need help working it out.
dcdiag.txt
Comment
Watch Question

An error such as Fatal Error:DsGetDcName can be caused by various reasons.

Please post:
How many DCs in the forest?
An unedited ipconfig /all from the DCs and from a sample workstation
Any Event log errors?  - We'll need the EventID# and the Source Name in the errors. You can use the copy/paste function in the event viewer.
What operating system and service pack level are the server?
Thomas GrassiSystems Administrator

Commented:
Another error I saw was no GC Global Catalogs found.

It is not best practice to make your exchange server a DC

As the post above asked

How many DC's you have?

run dcdiag on all and post.

Author

Commented:
i was just going to post them up for you but "server" has gone down again killing the other server in the process.  

Cannot get access to "server" untill tomorrow now to get it and "data" back online.

my plan was to get "exchange" running the network and then when all is quite then replace "data" which would then be the future main DC leaving exchange alone to do its thing.

i think the main thing i need to sort is why the network refuses to see "exchange" as a DC for logins if i can sort this at least i can get the network up and running as "server" is powering down every 4 - 5 hours currently dont think its gonna last much longer

to note in total 3 DC servers all set as global catalog, i have moved FSMO roles to exchange but rest of network does not seem to recogise this and is still trying to go to "server"
ipconfig---exchange.txt

Author

Commented:
managed to get one of the data server online as well as a client to login attaching ipconfigs and dcdiags from them as well

When pinging upandunder.local on client and data server

both report 192.168.0.200 (which is faulty server which is currently offline)

pinging upandunder.local on exchange server points to itself (192.168.0.25)

how do i update DNS server to point correctly?
dcdiag---data.txt
ipconfig---data.txt
ipconfig---client.txt
Thomas GrassiSystems Administrator

Commented:
Well your DNS server entry is not correct on exchange. 127.0.0.1  is not a valid DNS server entry.

Your other computer data has 192.168.0.25 for the DNS server   who is 192.168.0.25 ?

The Two DC's  other than exchange should also be running DNS

Do not put any AD roles on Exchanges Server Not good Practice

Again do not make exchange a DC

Author

Commented:
i have now changed DNS entry to 192.168.0.25 (itself thought i was okay with 127.0.0.1)

192.168.0.25 is "exchange"

other 2 DCs are soon to be replaced ("server is failing/failed) so didnt see point in having DNS on there when its running on "exchange"

in regards to running AD roles on exchange server this is only a temporary measure while other server is migrated. what are the down sides to doing this?  i dont plan on leaving it this way permanently.
Thomas GrassiSystems Administrator

Commented:
Ok I see

Lets see if computers can logon to the AD now.

They are all using DHCP correct? pointing to 192.168.0.25 for DNS

Author

Commented:
All Clients are using DHCP and DHCP sets 192.168.0.25 as DNS server

iv tried to login using a client and it does seem to login after a while.

also takes a long time to logout also

pinging upandunder.local from the client comes back as 192.168.0.70 (data DC server not exchange)
if i then run ipconfig /flushdns

it then comes back as 192.168.0.25
Thomas GrassiSystems Administrator

Commented:
Post ipconfig /all from that computer

Author

Commented:
Windows IP Configuration

        Host Name . . . . . . . . . . . . : oem-4a3b72d24f4
        Primary Dns Suffix  . . . . . . . : upandunder.local
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : upandunder.local
                                            upandunder.local

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : upandunder.local
        Description . . . . . . . . . . . : Realtek RTL8168D(P)/8111D(P) PCI-E G
igabit Ethernet NIC
        Physical Address. . . . . . . . . : 00-25-22-81-52-01
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.0.93
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.0.1
        DHCP Server . . . . . . . . . . . : 192.168.0.25
        DNS Servers . . . . . . . . . . . : 192.168.0.25
        Lease Obtained. . . . . . . . . . : 19 May 2014 19:35:27
        Lease Expires . . . . . . . . . . : 27 May 2014 19:35:27


to note: early uploaded file ipconfig -client was incorrect file that was from exhange server
Thomas GrassiSystems Administrator

Commented:
try this

ipconfig /all >c:\ipcfg.txt

that will save it to a file then copy it to the computer you are using for this site attach the file

Author

Commented:
file attached.
ipcfg.txt
Thomas GrassiSystems Administrator

Commented:
was 192.168.0.70 a DNS server before?

If so are the DNS server services still running?

Another thing what is 192.168.0.1 Cisco?

Check to see what DNS settings are in that device

Author

Commented:
192.168.0.70 was once a DNS server as a backup but has since been removed

192.168.0.1 is company ADSL router (DHCP Disabled)
its used as a gateway and also for external DNS requests

to note running DCDiag on the server still says no GC servers are available its as if even the server itself cannot see it self
Thomas GrassiSystems Administrator

Commented:
Ok

Check the ADSL router for its local network settings make sure its local lan connection is pointing 192.168.0.25 and not 192.168.0.70

I would flush dns on the router I  believe it still has 192.168.0.70 cached


Are you sure the Exchange server has been made a GC double check that.

Author

Commented:
How do I check exchange is running as gc ?

Box is ticked when I right click computer in sites and services
Thomas GrassiSystems Administrator

Commented:
try this

 dsquery server -isgc

Author

Commented:
get this back as the result :

"CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=up
andunder,DC=local"
"CN=DATA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=upan
dunder,DC=local"
"CN=EXCHANGE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=
upandunder,DC=local"

i have also changed external DNS lookups now to google incase of adsl router causing issue.

Author

Commented:
looking deeper into things it looks like i have no netlogon on the 2 working servers !  This would explain why clients are having a hard time logging in when only these 2 servers are online.

When running dcdiag /test:netlogons

Windows 2008 machine fails on
unable to connect to the netlogon share! (\\exchange\netlogon)
[exchange] an net use or LsaPolicy operation failed with error 67
the network name cannot be found

Windows 2003 machine fails on
Unable to connect to the netlogon share! (\\data\netlogon)
[data[ an net use or lsapolicy operation failed with error 1203, win 32 error 1203

it looks like the main server (which is now badly failing due to faulty HDD and overheating issues) is not replacting to the other servers because of this.

what should i do ?
Thomas GrassiSystems Administrator

Commented:
run this netdom query FSMO

Are you sure the roles transferred to exchange?

check DC -> NTDS settings    what do you have there?
You need to implement your contingency plan pronto. You can't even think of doing anything before backing up that server and replacing it. Image the HDD to a new one and get a server that doesn't overheat. I do not recommend working on the AD records without having a stable hardware platform in place.

Afterwards you can check who has what role, whats missing, etc...

Author

Commented:
theres no hard data on the server this has all been moved away.

can you recommend a method for backing up the active direcory?

both of the other DC seem to have replicated all usernames passwords etc okay just seems like netlogon and GC stuff is not going.

Looks like there has been some DNS issues in the past which im sorting out atm then i think to get replication running okay then ill move the FSMO roles again (moved them back to original server for now to get network up and running)

have also sent someone out onsite to stop old server overheating and crashing :)

Author

Commented:
iv now got DNS workin correctly on all 3 DCs and they can all see each other correctly and DNS tests all pass (they didnt before)

currently trying to sort the netlogon issues with the data server as there are no sysvol or netlong shares there

if i can get this server working i can then move all fsmo roles to this server

running dcdiag /test:netlogons  i get the following

Doing primary tests

   Testing server: Default-First-Site-Name\DATA
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\DATA\netlogon)
         [DATA] An net use or LsaPolicy operation failed with error 1203, Win32
Error 1203.
         ......................... DATA failed test NetLogons
Good job. You should transfer all Active Directory roles. After that you can discard the old server with or without dcpromo delete http://technet.microsoft.com/en-us/library/cc771844(v=ws.10).aspx. If you remove it while its still active, I guess its a cleaner process.

Author

Commented:
problem is i have no netlogon os sysvol on any server other then failing server.

so even if i do move fsmo roles clients still wont be able to logon.

trying every fix i can find that error 1203 and cannot get share folders to appear
Did you install the feature NTFRS on the 2008 servers which is used in 2003 domains to perform sysvol replication?

Run repadmin /showreps and post output

NFRS is under the role file services - add role services - windows server 2003 file services (file replication service)

Author

Commented:
just installed the role in 2008 server (to note data server is 2003 currently main objective is to get that running the network i can worry about the 2008 which is running exchange server later)

didnt know which server you wanted repadmin /showreps running from so attached all 3
repadmin---exchange.txt
repadmin---server.txt
repadmin---data.txt
After installing NFRS, run the following command on all servers

ntfrsutl ds |findstr /i "root stage"

Author

Commented:
Exchange :
Root      : c:\windows\sysvol\domain
Stage     : c:\windows\sysvol\staging\domain

Server :
Root      : c:\windows\sysvol\domain
Stage     : c:\windows\sysvol\staging\domain

Data :
Root      : c:\windows\sysvol\domain
Stage     : c:\windows\sysvol\staging\domain

(i didnt install anything on 2003 servers for NFRS i take it this is correct?)
No need to install anything on 2003 server.

Any errors in event on 2008 servers?

Author

Commented:
from what i can see i was getting file replication warnings from server to exchange but these stopped an hour ago and nothing since then

getting some MSexchange ADAccess errors
Process MAD.EXE (PID=1236). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
 (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
SERVER.upandunder.local      CDG 1 7 7 1 0 1 1 7 1
data.upandunder.local      CDG 1 7 7 1 0 1 1 0 1
EXCHANGE.upandunder.local      CDG 1 7 7 1 0 1 1 0 1
 Out-of-site:
Good. Do you have the shares now?

Author

Commented:
Hi

no still no shares :(

Server has sysvol & netlogon

exchange has sysvol

data has nothing

do you think running DC promo on data to remove it as a DC then running again might help?
Thomas GrassiSystems Administrator

Commented:
You need to get replication working between data and exchange.

Do not dcpromo until exchange AD is working correctly

Author

Commented:
right just performed a reboot on the exchange server.

get the attached event

when i browse to \\upandunder.local\
it looks like its going to the \\data share which doesnt have a sysvol or netlogon so cannot get the GPO
event.txt
On your 2008 servers.
    1. Stop NTFrs Service.
    2. Delete "dns domain name" folder from c:\windows\SYSVOL\staging areas.
    3. Create the junction point by running the following command: mklink /J "c:\windows\syslog\staging areas\dns domain name" c:\windows\sysvol\staging\domain
    4. Delete the "dns domain name" folder from c:\windows\SYSVOL\sysvol.
    5. Create the junction point by running the followign command: mklink /J c:windows\sysvol\sysvol\dns domain name c:\windows\sysvol\domain
    5. Start the NTFrs service

Check for errors in Event

Author

Commented:
when running

mklink /J "c:\windows\syslog\staging areas\dns domain name" c:\windows\sysvol\staging\domain

in cmd line getting the following
The system cannot find the path specified.

Author

Commented:
also tried the following with same effect

mklink /J "c:\windows\syslog\staging areas\upandunder.local" c:\windows\sysvol\staging\domain
Did you change "dns domain name" for your own?

Author

Commented:
Yeah

Used


mklink /J "c:\windows\syslog\staging areas\upandunder.local" c:\windows\sysvol\staging\domain

Author

Commented:
got the command working now and restarted ntfrs

no errors as of yet but also no netlogon share
Thomas GrassiSystems Administrator

Commented:
Here I found this that might help you

http://support.microsoft.com/kb/947022
Seems to be damaged beyond what I initially estimated. Lets reset the whole tree to be sure.

Did you at least get the Sysvol share back?

Author

Commented:
yeah already got the sysvol share back a few days ago on exchange

nothing at all on data (windows 2003 std)
Can you add another DC, a temporary one to hold the roles and to work on? 2003 if possible

Author

Commented:
Yeah it's possible I suppose

Let me see what I can sort out
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Try this before putting another server in or after ?
I'd do it after and on the temp server

Author

Commented:
okay im off the next 4 - 5 days so ill get something plumbed in next week.

in mean time should i backup from the old server using NTBackup to backup the Active D ?
I'd download a trial version of Backup Exec for a complete backup and later easy restore.

https://www4.symantec.com/Vrt/offer?a_id=91523
or
https://www4.symantec.com/Vrt/offer?a_id=30140

Author

Commented:
Just an update iv managed to get replication working correctly now :) and data server does indeed have netlong and sysvol shares. waiting on exchange server to replcate and hopefully that will have them as well.  Then i can get on with moving FSMO roles and getting failing server offline

what i did was run the following on the failing server on the network

To fix the problem, you must designate a domain controller to be authoritative for the Sysvol replica set:
1. Stop the File Replication service on the PDC emulator FSMO role holder.
2. Use the Registry Editor to navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Paramaters\Backup/Restore\Process at Startup.

3. Double-click the BurFlags Value Name, a REG_DWORD data type, and set the data value to D4, using the Hex radix.
4. Exit the Registry Editor.
5. Start the File Replication service.
Excelent! Sounds promising.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.